401655 – net-misc/curl<7.23.1: SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer (CVE-2011-3389, CVE-2012-0036)

Bug 401655 - net-misc/curl<7.23.1: SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer (CVE-2011-3389, CVE-2012-0036)

Summary: net-misc/curl<7.23.1: SSL CBC IV vulnerability when built to use OpenSSL fo...

Status:	RESOLVED DUPLICATE of bug 400799

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://curl.haxx.se/docs/adv_20120124...
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2012-01-31 16:40 UTC by Viorel Tabara
Modified:	2012-01-31 16:53 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Viorel Tabara 2012-01-31 16:40:59 UTC

curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
  for the SSL/TLS layer.
 
  This vulernability has been identified (CVE-2011-3389) and is addressed by
  OpenSSL already as they have made a work-around to mitigate the problem.
  When doing so, they figured out that some servers didn't work with the
  work-around and offered a way to disable it.
 
  The bit used to disable the workaround was then added to the generic
  SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for
  better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.
 
  While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it
  does in this case effectively enable this security vulnerability again.
 
  There is no known exploit for this problem.

Reproducible: Always

Comment 1 Viorel Tabara 2012-01-31 16:53:35 UTC


*** This bug has been marked as a duplicate of bug 400799 ***